Until now, electronic commerce utilizing IC cards and debit cards have assumed user verification associated with a PKI system. In most cases an IC card or a debit card is used, however, a user is verified with a password (PIN), and there is thus a danger of fraudulent use (spoofing or identity fraud) as in the case of a conventional bankcard.
More precisely, users who are not accustomed to using a password tend to choose easy-to-remember strings of characters or digits as passwords or PINs; for example, the user's or a family member's name or birthday, telephone number, favorite word, etc. Passwords or PINs can easily be leaked or stolen, if they are noted down, or if they are “shoulder surfed”—someone watches you from a nearby location as you punch in your password through a ten-key pad— at the time debit cards are used at merchandise locations.
Such identity theft commonly occurs, which is evident from the frequency of cases in which money is easily stolen from a victim's accounts by using a stolen bankcard. This proves that user verification with a password is insufficient in for security purposes.
Employing passwords in user verification simplifies systems and reduces manufacturing costs, but the user should be security-conscious. For example, a password should not be the user's or a family member's name or birthday, telephone number, or favorite word. Taking a note of a password should of course be prohibited. Further, the user must always be cautious about the theft of a password whenever he uses that password, because third parties can read passwords from the movement of a user's fingers while he is punching in his password.
Further, as in the case of a password, the user must be careful with an encryption key. Generally speaking, memorizing an encryption/decryption key is troublesome because its character string is exceedingly long. Hence, the key is normally stored in a computer or in a flexible disc, and it is read therefrom as necessary. At the time the key is read out, a password is often used to retain the security of the key. At that time, a short, easy-to-memorize character string should not be used because a lengthy character string is difficult to memorize. Such a short character string will significantly diminish the security of the key.
The forgoing problems are found also in IC cards and debit cards. No matter how the tamper-resistant properties of IC cards are improved to protect the encryption key (secret key) stored therein from theft, all the efforts come to nothing without the users' awareness of the security of passwords.
Hence, in electronic commerce utilizing IC cards or debit cards, it is required to combine the PIN verification with biometric user verification (for example, fingerprints, voice, iris patterns, facial patterns, retina patterns, blood vessel patterns, hand shapes, signatures, keystrokes, signature dynamics, and so on), in which user-independent security setting is realized.
Biometric information utilizes characteristics of the human body that are unique to a user. It avoids the necessity of memorizing or writing down passwords, and it cannot be surmised by third parties. Further, biometric information utilizes difficult to counterfeit, and thus, even if a user is watched as he is undergoing biometric verification, it is impossible to fake the biometric information. Hence, biometric user verification is the optimum choice in a case where user verification is of great importance.
A debit card is a bankcard that can be used to shop at merchandise locations. Thus, if a password (PIN) for a debit card is stolen, a lot of harm will be caused. For this reason, in a system (for example, debit cards) where a PIN is requested as verification, it is strongly expected that the input of a PIN will be associated with biometric user verification.
On the other hand, with recent increases in the storage capacity of IC cards, it is now possible to store/register from hundreds of bytes to 2 kilobytes of biometric feature data in an IC card. A small-sized processor (CPU) built in an IC card allows the IC card to serve as a data processor.
Existing processors for IC cards, however, do not have the ability to execute all the processing of biometric feature data. Thus, an IC card terminal (external data processing device) for accessing IC cards samples an object user's biometric information, and it also extracts therefrom biometric feature data (hereinafter called “to-be-verified biometric feature data”) for use in user verification, and IC cards are devoted to the verification of the extracted biometric feature data (for example, see Japanese Patent Application Publication No. HEI 10-312459). More precisely, an IC card previously stores its authorized user's biometric feature data as valid biometric feature data. Upon receipt of to-be-verified biometric feature data from the IC card terminal, the IC card compares the to-be-verified biometric feature data with the valid biometric feature data, and then returns the comparison/verification result to the IC card terminal.
Applying the relationship between the IC card and the IC card terminal to a client-server fingerprint verification method, the IC card terminal corresponds to a client which extracts fingerprint features, and the IC card corresponds to a server which verifies the fingerprint feature data. The foregoing verification method using an IC card, however, differs from the client-server fingerprint verification method in that, in the former method, the IC card, which meets the server of the latter method, is carried by a user as a highly tamper-resistant portable electronic device. Since biometric feature data verification and its subsequent processing are executed on the IC card which is carried by a user, not on a server which is managed by a third party, the former offers an advantage of ensuring user privacy.
However, the foregoing combination between biometric information and an IC card still has problems to be solved. The problems are that to-be-verified biometric feature data is sent, as it is, from the IC card terminal to the IC card, and that a verification result is sent out from the IC card as an OK/NG signal (0/1 signal). As a result, no matter how the IC card is superior in tamper-resistant properties, there still remains the possibility that the data transmitted/received between the IC card and the IC card terminal may be wrongfully obtained and used by third parties. In other words, the existing combination between an IC card and biometric information has not taken full advantage of the high tamper-resistant property of a recent IC card.
Accordingly, it has been expected that high security ability will be guaranteed when to-be-verified biometric feature data is input to an IC card, and also when a verification result obtained within an IC card is sent out to an external apparatus.
With the foregoing problems in view, one object of the present invention is to realize secure user verification. The present invention is applied to a system (for example, debit cards) where the input of a PIN is requested as verification, making it possible to use PIN verification in association with biometric feature data, which is free of having been stolen or faked. The leakage and theft of the PIN are thus reliably prevented, so that a high level of security can be guaranteed.
Another object of the invention is to guarantee high security ability when to-be-verified biometric feature data is input to portable electronic device, such as an IC card, and also when a verification result obtained within an IC card is sent out to an external apparatus, so that secure user verification is realized.